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Abstract:  Under  AFOSR  award  number  FA9550-10-1-0341,  we  have  funded  several  research  projects  that 
have  yielded  a  large  number  of  publications  and  conference  presentations  in  the  area  of  Supervisory 
Control  And  Data  Acquisition  (SCADA).  Details  of  each  project  are  included  below.  The  tasks  include 
work  in  link  encryption  for  existing  legacy  SCADA  equipment,  where  we  continue  to  develop  lightweight 
encryption  schemes  applicable  for  low  bandwidth  low  energy  environments  such  as  the  smart  grid.  We 
have  investigated  the  use  of  a  domain  specific  language  for  authoring  and  monitoring  compliance  of 
SCADA  systems,  including  technologies  for  a  “policy  monitor’’  which  reports  out  on  any  observance 
issues.  We  worked  with  students  in  the  Computer  Engineering  School  at  the  University  of  Nebraska 
Lincoln  to  design  and  implement  a  low-cost  hardware-in-the-loop  device,  which  can  be  used  to  mimic  the 
activities  in  an  industrial  control  system.  Specific  to  the  transportation  industry,  we  participated  in  an 
investigation  of  SCADA  systems  in  airports,  which  we  reported  on  at  a  conference  and  also  a  journal  paper. 


We  have  conducted  extensive  investigations  into  the  hardware  purchased  under  this  AFOSR  award  from 
Allen-Bradley  and  Rockwell  Automation.  These  investigations  have  yielded  several  important  technical 
publications  as  well  as  more  recently  an  event  we  reported  to  ICS-CERT  and  to  Rockwell.  We  used  a 
method  called  “learned  event  patterns”  to  work  on  a  simple  system  for  intrusion  detection  or  anomaly 
detection  within  SCADA  systems.  All  of  these  research  projects  have  yielded  publications  and  have 
advanced  the  state  of  the  art  in  SCADA  research,  as  well  as  funding  important  undergraduate  and  graduate 
student  experiences. 
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We  continue  to  utilize  the  funding  for  four  concurrent  research  projects,  which  are  detailed  below. 

•  Exploration  of  Language-Driven  Compliance:  We  created  a  novel  approach  to  precisely  specify 
constraints  mandated  by  regulatory  requirements  on  a  control  system  and  implemented  software  to 
monitor  the  corresponding  compliance  status  in  near-real-time.  Our  research  focused  on  the  design  of  a 
language  that  bridges  the  gap  between  abstract  regulatory  policies  and  the  realities  of  implementation. 


Essentially,  each  regulatory  check,  a  “policy  monitor”,  is  authored  in  a  new  language  we  are 
developing  called  ADACS  (Autonomous  component-based  policy  Description  Language  for  Anomaly 
monitoring  in  Control  Systems).  The  semantics  of  our  language  are  closer  to  discrete  real-time  system 
interactions  expressed  as  events  encoded  in  XML  messages,  and  the  language  is  compiled  into  binaries 
of  a  general-purpose  language  that  is  portable  across  many  hardware  and  software  platforms. 

Accomplishments:  We  presented  the  research  at  two  conferences  and  one  publication,  and  used  this  as 
a  starting  point  on  a  SBIR  grant  which  was  subsequently  awarded  (Phase  1  only).  This  SBIR  also 
yielded  a  chapter  in  a  book  on  smart  power  grids. 

Creation  of  a  Low-Cost  Hardware-in-the-loop  Device:  We  utilized  funding  through  AFOSR  in  the 
creation  of  two  devices  used  in  our  labs.  First  was  a  primitive  PLC-like  device,  which  could  be 
programmed  to  toggle  various  I/O  lines  through  a  simple  program.  This  was  used  to  feed  “live”  data 
into  the  remainder  of  our  lab  infrastructure,  providing  a  hardware-in-the-loop  capability  for 
simulations.  A  follow  on  project  made  a  second  unit  that  had  a  much  simpler  interface  and  could  be 
commanded  over  a  plain  USB  connection.  Thus  we  can  have  a  software  simulation  that  drives  actual 
hardware  signals  into  the  control  equipment. 

Accomplishments:  We  reported  out  on  the  first  of  these  two  devices  in  a  paper  delivered  at  a  Special 
Track  on  Mission  Assurance  and  Critical  Infrastructure  Protection. 

Improvements  in  Quasigroup  Encryption  for  SCADA:  We  have  been  working  on  link  encryption 
schemes  in  the  critical  infrastructure  protection  realm  with  the  intent  of  providing  a  low-cost  low- 
overhead  link  encryption  processor  implemented  in  hardware.  We’ve  developed  a  preliminary  version 
of  the  encryption  system  that’s  been  published  at  various  venues.  We  are  constantly  improving  its 
strength  against  various  cryptanalytic  attacks  and  modifying  its  structure  to  better  suite  low-cost  FPGA 
implementation. 

Accomplishments:  This  work  is  ongoing  -  now  with  more  limited  resources  -  but  with  promising 
results.  We  have  reported  on  some  of  these  results  and  are  in  the  process  of  implementing  newer 
versions  of  our  work  in  smaller  platforms  to  test  the  feasibility. 

Reverse  engineering  of  the  CIP  and  EtherNet/IP  protocols:  This  project  was  one  of  the  heavily 
emphasized  areas  explored  with  the  funding  from  the  award.  The  aim  was  to  reverse  engineer  the 
EtherNet/IP  protocol  (this  is  Industrial  Protocol  and  not  Internet  Protocol)  and  Common  Industrial 
Protocol  (CIP)  standards  and  explore  potential  vulnerabilities.  Two  students  were  partially  funded 
from  a  National  Science  Foundation  summer  research  grant,  while  two  faculty  members  were  funded 
through  AFOSR  for  research  support.  The  aim  of  the  work  was  to  explore  potential  exploits  and 
demonstrate  the  fragility  of  some  Critical  Infrastructure  equipment. 

Accomplishments:  We  have  exposed  weaknesses  in  the  Common  Industrial  Protocol  (CIP) 
application  data  that  can  be  carried  over  several  different  interfaces.  We  created  a  systematic  process 
for  reverse  engineering  of  CIP  messages  from  packet  captures  of  a  SCADA  network  and  exposed 
vulnerabilities  in  this  implementation  of  CIP  for  SCADA.  Several  papers  have  been  published  on  our 
results  (detailed  in  publications  section).  One  flaw  was  sufficiently  significant  that  the  student  and 
faculty  submitted  the  results  to  ICS-CERT  and  then  worked  with  Rockwell  Automation  to  address  the 
issue.  For  this  work  we  utilize  a  test-bed  environment  that  serves  as  a  scale  model  of  a  real  world  oil 
pipeline.  Reverse  engineering  of  EtherNet/IP  packets  from  the  network  traffic  allowed  us  to  determine 
the  structure,  command  options,  and  potential  vulnerable  fields.  Two  students  partially  funded  through 
AFOSR  developed  sophisticated  Python  programs  to  aid  in  the  reverse  engineering  of  captured  CIP 
network  traffic,  and  these  tools  have  been  shared  with  the  industrial  control  researchers  at  Sandia 
National  Labs.  Our  follow-on  work  will  be  to  (A)  expand  our  critical  infrastructure  equipment  to 
include  manufacturers  suggested  by  external  partners  and  to  (B)  create  a  CIP  “fuzzer”  to  further 
investigate  weaknesses  within  this  protocol  and  associated  equipment.  This  system  will  offer 
significant  benefits  to  our  national  and  economic  security  by  protecting  the  integrity  and  availability  of 


pervasive  automated  communication  processes  between  components  on  distributed  insecure  systems  of 
vital  infrastructure. 


•  Exploration  of  Spoofing  for  Small  PLCs:  For  this  project  we  explored  the  fde  system  in  a  small 
Allen-Bradley  PLC  and  determined  whether  it  could  be  replaced  with  other  code  in  order  to  fool  the 
equipment  operator  into  seeing  false  information. 

Accomplishments:  We  were  able  to  download  false  HTML  web  pages  into  the  device  and  give  the 
illusion  that  the  system  was  performing  normally;  we  reported  on  these  results  at  an  international 
cybersecurity  conference  in  Purdue. 

•  Analysis  of  SCADA  specific  to  Transportation:  An  additional  exploration  area  was  the  use  of 
critical  infrastructure  protection  relative  to  airport  security.  In  conjunction  with  a  European  company  in 
the  airport  security  domain  we  examined  specific  equipment  in  an  international  airport  and  interviewed 
the  IT  staff. 

Accomplishments:  We  were  surprised  to  discover  that  relative  to  other  critical  infrastructure  domains, 
the  airport  domain  is  relatively  secure  as  far  as  SCADA  is  concerned.  Interestingly  this  is  mainly  due 
to  the  lack  of  SCADA  equipment  in  critical  areas  rather  than  any  particular  vulnerabilities.  We  did 
report  out  on  these  findings  at  a  conference  that  was  reprinted  as  a  journal  article. 
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advanced  the  state  of  the  art  in  SCADA  research,  as  well  as  funding  important  undergraduate  and 
graduate  student  experiences. 
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